This is the first post in this series addressing my perspective on the current state of Cybersecurity Incident Response training and an approach to improve interest, participation, and expanded learning.
Rolling a 1 on Engagement:
Rethinking the Security Awareness Check
Let’s be real, convincing employees to sit through Cybersecurity training can feel like failing a charisma check when trying to convince a Rogue to read a lock-pick how-to manual.
Monotonous. Stale. Uninspired. Even plebeian.
Checklists. Compliance modules. Dry documentation. Important..? Of course, yet not engaging at all.
Thankfully, there is a better (yes, I am biased) way to avoid rolling a natural 1, often triggering the most spectacular of failure, on your training save roll. A key is getting party engagement and encouraging real learning. Which is really the ultimate objective for everyone!
Choosing a training format can feel like rolling on a random loot table. Some can be rare and rewarding a +10 of Secure Configurations. Others are just common low-level scrolls, technically useful yet rarely exciting, and occasionally cursed with -2 Boredom. One of the issues with deciding how to train is that there are so many formats to deliver and present training. From textbooks and computer-based courses to virtual sessions, blog posts, and white papers. But format is just part of the learning equation. There are also different styles to present the content being trained on. From task-driven command to guided discovery, from reciprocal teaching to problem-solving challenges, each delivery and presentation format combination will have its list of benefits and disadvantages for most participants.
Finding the appropriate balance can typically be addressed by the delivery method and understanding the reasons and motivation behind participating in the training in the first place. With respect to Cybersecurity training the topics are many, and can range from narrow to wide focused, and shallow to deep in detail. Even the most eager party member may lose focus when the quest is delivered in monotone by the Dungeon Master merely reading slides. Could Powerpoint be a mimic!?!? No thank you. The delivery format and topic presentation need to be compatible with the participants’ learning needs and style. Otherwise, there is risk of minimal knowledge transfer and lack of true learning.
Cybersecurity training… love or hate it, this subject matter training is here to stay at every level within most organizations. But that does not mean it cannot be made to be at least tolerable (I prefer a healthy dose of fun) through table-top exercises. What is a table-top exercise, you ask? Think of table-top exercises as your narrative arc, gathering your party (team members), stepping into character, and responding to threats with the tools, spells, and policies at their disposal. Make it a collaborative campaign, a “choose your own incident” story, where table-top participants roll with uncertainty (at times) and adapt on the fly, just like the best adventuring parties do. All based on participant skills, experience, knowledge, and directives.
So let’s look at a common table-top topic…
From Character Sheets to Chaos:
Practicing Your IR Plan in the Proving Grounds
It is one thing to have Incident Response Plans (IRPs) neatly documented in a digital scroll. It is another to actually effectively cast them under the pressure of an actual compromise. And no… the Wizard casting fireball is not always a sound tactic.
One primary objective for a tabletop exercise is to test how well the organization's response procedures measure up when the dice is rolled. When real-time decisions are made and become either the protective shields or failed spell cast when defending users, systems, and information. Are the techniques, tactics, and procedures (TTPs) sufficiently comprehensive and adaptable?
Defining what is “comprehensive” will vary based on what services (e.g., SSO, VPN) and platforms (e.g., AD, email, internet) are offered and in play. To be clear, I am not suggesting that IRPs account for every possible scenario. That would be inconceivable. Even the best DMs can be challenged with preparing for every chaotic neutral action. However, the plans do need to sufficiently cover actual attack vectors that the company faces.
This is where table-top scenarios are the best proving grounds. They provide a safe space to explore and test plans, simulate plausible threat-actor encounters, and can account for (or not) assumed adversarial tactics based on old attacks. With respect to assumptions, a typical initial realization participants will have is the incorrect belief of who is responsible for what. As the facilitator, it is always quite interesting to listen to, watch, and experience this unfold. The most common response is “That is the fill in the blank team’s responsibility…”. Essentially rolling a natural 1 on Accountability… Critical failure.
These moments also expose more than just role confusion. Table-top exercises will also allow for awareness of technical deficiencies, brittle communication channels, and ill-aligned expectations. It is better to have these details surface during the exercise instead of a real-world boss battle.
XP Unlocked:
Earning the Adventure Party’s Buy-In Through Play
At their core, table-top exercises are collaborative, team-building quests that motivate problem solving, a shared drive to succeed, and cross-functional ownership of outcomes.
I approach facilitation as a “choose your own adventure” campaign; one that invites everyone to the table, not just the party leads. These sessions encourage open discussion amongst all team members, creative thinking, and narrative driven skills-check based on addressing the real risk encountered.
This transforms passive scroll-reading into an active scenario engagement, and turns training from a lecture into a lived experience. When participants step into the exercise, they are not just reviewing incident response steps and tasks, they are playing their part in the defense of the realm. This level of immersion leads to greater participation, stronger memory retention, and deeper sense of team cohesion. Where the party is gaining XP (Experience Points) through risk-based exploration.
The Tavern Rule:
Growing Through Mistakes, Not Critique
In any well facilitated table-top, the proverbial tavern is a place where all voices are welcome. This is the moment in the campaign where the party gathers, curiosities and ideas are exchanged, and “what if” scenarios are asked openly and without fear of rolling a critical fail in front of leadership. Participating leaders, especially those with positional authority, must step back and allow their teams to stretch their minds, challenge assumptions, and test their creativity in problem solving.
Creating this type of space allows for an openness that builds trust within and across teams. It becomes a place for not only problem solving, but for relationship building, which is a rare pause in the daily grind and provides a stress-free environment where difficult conversations can be explored in constructive and supportive ways.
No Saving Throws Needed:
A Safe Space to Fail and Learn
Keep in mind, that like a DnD adventure, a table-top exercise is not a certification exam. It is not about passing or failing. It is about playing through the unknown together.
These campaigns need to be built around engaging, story lines based on actual real risk scenarios. They need to be well guided and fun, inviting active participation from all participants to consider the outlined IRP steps, their responsibility to action supporting tasks, and shared responsibilities. The results are not merely knowledge transfer and accumulation, yet organizational growth. These interactions can help to widen realization and understanding across departments and become the foundation for a resilient security culture and program.
Call to Action
It’s time to gather the adventurers. Unroll the maps (IR Plans). And get ready to roll for initiative.
Table-top exercises are not just another compliance item check-box, they are the start of your team’s campaign towards real Cyber resilience. An opportunity to practice, learn through play, and grow together through shared discovery.
In the next chapter, we leave the tavern behind and head forth into the wilds, where cross-team communication and leadership alignment and dialogue are the difference between success and failure on the adventure.
This is the first in a series of posts to help encourage support for changes in how training can and should be approached. At Secure Ideas we specialize in table-top exercises, training, consulting and advisory services, security assessments, PCI DSS Compliance, vulnerability management and penetration testing services that help provide our clients visibility into what goes unnoticed. Whether providing in-house Cybersecurity training, securing Industrial Control Systems (ICS), or performing penetration testing, our objective is to help clients understand hidden risks, expand the Cybersecurity mind-set and culture, and ensure safe and resilient operations.
About The Author:
Giovanni Cofré joins Secure Ideas with 25+ years of IT experience, specializing in network security for corporate, OT, and e-commerce environments since 2000. He's committed to mentoring security professionals and promoting security awareness. His expertise spans multiple industries in both private and public sectors, where he's implemented security frameworks based on CIS CSC, HITRUST, PCI, and NIST standards. Giovanni excels in vulnerability assessment, penetration testing, and developing practical security processes. His notable work in e-commerce and energy industries includes establishing secure coding practices and maturing enterprise security strategies. Giovanni focuses on environment-specific practices that meet business needs while building resilient infrastructures.
Read More by Giovanni: Operational Technology’s use of Wireless Networks
